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1 1. A method comprising: 

2 receiving notification of a distributed denial of service attack; 
establishing security authentication from an upstream router from which attack 

4 traffic, transmitted by one or more attack host computers, is received; and 

5 once security authentication is established, transmitting one or more filters to 
the upstream router such that attack traffic is dropped by the upstream router, thereby 

7 terminating the distributed denial of service attack. 

1 2. The method of claim 1 , wherein detecting the attack traffic further 

2 comprises: 

3 monitoring network traffic received by an Internet host; and 

4 when a distributed denial of service attack is detected, notifying the Internet 

5 host of the distributed denial of service attack. 
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1 3. The method of claim 1, wherein establishing security authentication 

2 further comprises: 

3 transmitting a security authentication request to the upstream router including 

4 authentication information, the authorization information including a destination 

5 address of the attack traffic; and 

6 receiving authorization for establishment of security authentication from the 

7 upstream router. 

1 4. The method of claim I , wherein the transmitting the one or more filters 

2 further comprises: 

identifying attack traffic characteristics of the attack traffic received by an 

4 Internet host; 

5 generating one or more filters based on the identified attack traffic 

6 characteristics, such that the one or more filters direct the upstream router to drop 

7 network traffic matching the attack traffic characteristics; 
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8 digitally signing the one or more filters using a digital certificate of the 

9 Internet host; and 

10 transmitting the one or more digitally signed filters to the upstream router. 

1 5, A method comprising: 

2 establishing security authentication of an Internet host under a distributed 

3 denial of service (DDoS) attack; 

4 receiving one or more filters from the Internet host; 

5 when security authentication is established, verifying that the one or more 

6 filters select only network traffic directed to the Internet host; and 

7 once verified, installing the one or more filters such that network traffic 

8 matching the one or more filters is prevented from reaching the Internet host. 
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1 6. The method of claim 5, wherein establishing security authentication 

2 further comprises: 

3 recei ving a request for security authentication including authentication 

4 information from the Internet host; 

5 selecting the authentication information from the security authentication 

6 request; and 

7 authenticating an identity of the Internet host based on the selected 
S authentication information. 

1 7. The method of claim 5, wherein the receiving the one or more filters 

2 further comprises: 

3 authenticating a source of the one or more filters recei ved as the Internet host; 

4 once authenticated, verifying that a router administrator has set a DDoS 

5 squelch time to live value for received filters; 

6 once verified, generating a filter expiration time for each filter based on the 

7 time to live value, such that the filters are uninstalled once the expiration time expires; 

8 verifying that an action component of each of the filters is drop; and 

9 otherwise, disregarding the one or more filters received from the Internet host. 
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1 8. The method of claim 5, wherein verifying the one or more filters 

2 further comprises: 

3 selecting a destination address component for each of the one or more filters 

4 received from the Internet host; 

5 comparing the selected destination address components against an address of 

6 the Internet host; 

7 verifying that the selected destination addresses matches the Internet host 

8 address; and 

9 otherwise, disregarding the one or more filters received from the Internet host. 

1 9. The method of claim 5, wherein installing the one or more filters 

2 further comprises: 

3 selecting network traffic matching one or more of the filters received from the 

4 Internet host; and 

5 dropping the selected network traffic such that attack traffic received from one 

6 or more attack host computers by the Internet host is eliminated in order to terminate 

7 the distributed denial of service attack. 
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1 10. The method of claim 5, further comprising: 

2 determining, by an upstream router receiving the one or more filters from the 

3 Internet host, one or more ports from which the attack traffic matching the one or 

4 more filters is being received based on a routing table; 

5 selecting a port from the one or more determined ports; 

6 determining an upstream router connected to the selected port based on a 

7 routing table; 

8 securely forwarding the one or more filters received from the Internet host to 

9 the detected upstream router as a routing protocol update; and 

10 repeating the selecting, determining and utilizing for each of the one or more 

1 1 determined ports. 



1 11. A method comprising: 

2 receiving a routing protocol update from a downstream router; 

3 selecting one or more filters from the routing protocol update received from 

4 the downstream router; 

5 establishing security authentication of the downstream router; 

6 once authentication is established, verifying that the one or more filters select 

7 only network traffic directed to the downstream router; and 

8 once verified, installing the one or more filters such that attack traffic 

9 matching the one or more filters is prevented from reaching the downstream router. 
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1 12. The method of claim 1 1 , wherein establishing security authentication 

2 of the downstream router further comprises: 

3 selecting authentication information from the routing protocol update received 

4 from the downstream router; 

5 once selected, authenticating an identity of the downstream router based on the 

6 authentication information; 

7 authenticating a source of the one or more filters as the downstream router, 

8 once authenticated, verifying that a router administrator has set a DDoS 

9 squelch time to live value for received filters; 

10 once verified, generating a filter expiration time for each fi Iter based on the 
time to live value, such that the filters are uninstalled once the expiration time expires; 

verifying that an action component of each of the filters is drop; and 

13 otherwise, disregarding the one or more filters received from the downstream 

14 router. 
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1 13. The method of claim 1 1, wherein verifying the one or more filters 

2 further comprises: 

3 selecting a destination address component for each of the one or more filters; 

4 comparing the selected destination address component against an address of 

5 the downstream router; 
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6 verifying that the selected destination address matches the downstream router 

7 address; and 

8 otherwise, disregarding the one or more filters received from the downstream 

9 router. 

1 14, The method of claim 1 1 , further comprises: 

2 determining, by an upstream router receiving the one or more filters from the 

3 downstream router, one or more ports from which attack traffic matching the one or 

4 more received filters is being received; 

5 selecting a port from the one or more determined ports; 

6 determining an upstream router coupled to the selected port based on a routing 

7 table; 

8 securely forwarding the one or more received filters to the determined 

9 upstream router as a routing protocol update; and 

to repeating the selecting, determining, and forwarding for each of the one or 

1 1 more determined ports. 

15. (Amended) A machine readable storage medium including program instructions 
that direct a system to function in a specific manner when executed by a processor, the program 
instructions comprising: 

receiving notification of a distributed denial of service attack; 

establishing security authentication from an upstream router from which attack traffic, 
transmitted by one or more attack host computers, is received; and 

once security authentication is established, transmitting one or more filters to the upstream 
router such that attack traffic is dropped by the upstream router, thereby terminating the distributed 
denial of service attack. 

1 6. (Amended) The machine readable storage medium of claim 15, wherein the 
instruction of detecting the attack traffic further comprises: 

monitoring network traffic received by an Internet host; and 

when a distributed denial of service attack is detected, notifying the Internet host of the 
distributed denial of service attack. 
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17. (Amended) The machine readable storage medium of claim 15, wherein 
establishing security authentication further comprises: 

transmitting a security authentication request to the upstream router including authentication 
information, the authorization information including a destination address of the attack traffic; and 

receiving authorization for establishment of security authentication from the upstream 

router. 

18. (Amended) The machine readable storage medium of claim 15, wherein 
transmitting the one or more filters further comprises: 

identifying attack traffic characteristics of the attack traffic received by an Internet host; 

generating one or more filters based on the identified attack traffic characteristics, such that 
the one or more filters direct the upstream router to drop network traffic matching the attack traffic 
characteristics; 

digitally signing the one or more filters using a digital certificate of the Internet host; and 
transmitting the one or more digitally signed filters to the upstream router. 

1 9. (Amended) A machine readable storage medium including program instructions 
that direct a system to function in a specific manner when executed by a processor, the program 
instructions comprising: 

establishing a security authentication of a downstream device; 

once security authentication is established, verifying that one or mote filters from the 
downstream device select only network traffic directed to the downstream device; and 

once verified, installing the one or more filters such that network traffic matching the one or 
more filters is prevented from reaching the downstream device. 
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20. (Amended) The a machine readable storage medium of claim 19, wherein 
establishing security authentication further comprises: 

receiving a routing protocol update from the downstream device; 
selecting authentication information from the received routing protocol update; 
authenticating an identity of the downstream device based on the selected authentication 
information; 

once authenticated, selecting the one or more filters from the received routing protocol; and 
authenticating integrity of the one or more filters based on a digital signature of the filters. 

21 . (Amended) The machine readable storage medium of claim 19, wherein 
verifying the one or more filters further comprises: 

authenticating a source of the one or more filters received as the downstream device; 

once authenticated, verifying that a router administrator has set a DDoS squelch time to live 
value for received filters; 

once verified, generating a filter expiration time for each filter based on the time to live, 
such that the filters are uninstalled once the expiration time expires; 

verifying that an action component of each of the filters is drop; and 

otherwise, disregarding the one or more filters received from the Internet host. 
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22. (Amended) The machine readable storage medium of claim 1 9, wherein 
verifying the one or more filters further comprises: 

selecting a destination address component for each of the one or more fillers received from 
the downstream device; 

comparing the destination address components against an address of the downstream 

device; 

verifying that the selected destination addresses matches the downstream device address; 

and 

otherwise, disregarding the one or more filters received from the downstream device, 

23. (Amended) The machine readable storage medium of claim 19, wherein 
establishing security authentication further comprises: 

receiving a request for security authentication including authentication information from the 
downstream device; 

selecting the authentication information from the security authentication request; and 
authenticating an identity of the downstream device based on the selected authentication 
information. 

24. (Amended) The machine readable storage medium of claim 19, wherein 
installing the one or more falters further comprises: 

selecting network traffic matching one or more of the filters received from the downstream 
device; and 

dropping the selected network traffic such that attack traffic received from one or more 
attack host computers by the downstream device is eliminated in order to terminate a distributed 
denial of service attack. 

25 . (Amended) The machine readable storage medium of claim 19, further 
comprising: 

determining, by an upstream router receiving the one or more filters from the downstream 
router, one or more ports from which attack traffic matching the one or more received filters is 
being received; 

selecting a port from the one or more determined ports; 

determining an upstream router coupled to the selected port based on a routing table; 
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securely forwarding the one or more received filters to the determined upstream router as a 
routing protocol update; and 

repeating the selecting, determining, and forwarding for each of the one or more 
determined parts. 



